Placing certain Hosts on the WAN side of the firewall
-
Okay so here is my situation. My ISP has a goofy way of assigning addresses. I am given one class C PRIVATE subnet. In my case it is 192.168.8.x. So when i plug anything into the ethernet port provided by my ISP, i am given an address in that subnet by a DHCP server they control. I can add a switch and get many addresses, but I have chosen to use pfSense so that i can have publicly reachable services through a VPN. (i could find no other way to do port forwarding on different interfaces other than WAN) So really, the way I have it set now i have a double NAT situation. the NAT that my pfSense box is doing as well as the NAT my ISP is doing. What I want is to be able to specify certain hosts to use my pfsense WAN port for everything. Ideally, the hosts i specify would request an address from DHCP and pfsense would ignore those requests on its DHCP server and forward them to the WAN port(my ISPs private class C network that i am assigned). Im not sure if this is possible or not but I am hoping to not have to run a separate cable to each bedroom in my house as this is for XBOXs who sometimes do not like the double NAT scenario.
I am hoping that explains enough but let me put it a different way in case i didn't. I want all my xboxs in the house to have 192.168.8.x/24 addresses while now(double NATed) they have 10.69.1.x addresses given by pfSense DHCP server. After researching i realize this may not be possible so maybe a 1:1 NAT setup with virtual IPs or something else but worst case scenario I suppose I could add a switch directly at internet entry point and connect pfSence WAN port as well as all xboxs via another run of cable to all 5 bedrooms and living room (all the xboxs) but that is what i am trying to avoid. Let me know if i didn't explain something well enough and I apreciate it ahead of time. Thanks
-
Frankly I don't understand what the issue is :-[
Of course it might be better avoid une level of NAT but except for some specific cases, it should work.
If you plug only pfSense (WAN interface) to your provider's router, and assuming of course everything incoming request is forwarded to pfSense, then why do you care about double-NAT ?
you receive everything on the WAN side and redirect to whatever internet server you need.Of course, if you intend to handle many web server, e.g., then redirecting ton one single reverse proxy will definitely make your life easier ;)
-
Honostly I really don't see why it wouldn't work either but occasionally I get a NAT error when trying to host or join a game. Whats weird is it isn't all the time but when I do get it the only thing I can do to fix it is to run whatever xbox i'm on directly to my ISP subnet and its a pain to do all the time. While troubleshooting this issue I found this over at Microsoft Support:
Step 4: Put your gateway into bridge mode
If you use a router and a gateway, both devices may be performing NAT. If both devices are performing NAT, you may have trouble hosting or joining multiplayer games and parties or hearing other players.
To resolve this issue, put your gateway into bridge mode.
Which is effectively what I was asking (put my xboxs bridged directly to ISP subnet(WAN Port))
It will take awhile to confirm it worked but here is what I am working on now, if you could tell me if Im on the right path id apreciate it.
I have 5 Xbox 360s. I set each up with their own static DHCP lease so they will maintain the same IP always. I then made 5 Virtual IPs using my WAN network subnet and am working on doing a 1:1 NAT right now. That should effectively pass ANY and ALL traffic destined for those VIPs to the xboxs I have mapped in 1:1 correct? am I missing any steps? I went school for cisco networking and got my CCNA but that was a long time ago and I havnt had a lot of practical experience.
-
;D my initial understanding was that you intended to host services and wanted to deal with incoming port forwarding but I realise now that problem you face is with some games. Indeed some on-line games do not deal very well with double NAT. Even 1 to 1 NAT will not solve the issue.
Although I haven't tried yet, the only solution (if you definitely can't configure your ISP router in bridge mode) would be to configure VLAN bridged so that your xbox is seen on the external network and not on the internal one. -
That is exactly what I want to do ;D ;D
I cannot do anything with my ISPs side of things, so My only other 2 options are configuring my pfSense box as a bridge only which i dont really want to do, or Configure a VLAN as you stated.
Would I just bridge that VLAN with my WAN? And then how do I go about directing the individual hosts to the VLAN instead of my normal LAN. I can figure out how to make sure DHCP gets forwarded and all that if I could just get my xboxes on the external network Sorry, I am normally very self sufficient and use google to solve everything.. in most cases I am telling people to UTFSE and find it themselves, its just the terminology that I have issues with so searching becomes to broad. I really apreciate your help and saving me the trouble of setting up all this 1:1 crap as with pfSense. I used to think I was really good with networking until I got this firewall. :-\ Too many options get me lost quick. LOL
-
by the way hosting services is exactly why I have pfSense to which i figured out if i run my grandmothers PC as a VPN server(she has DSL with dedicated Public IP) and connect pfSense to that I can host any service I want (My Camera system, ftp site etc) by forwarding ports from the vpn interface. if there were any other way to do that, I would not have this advanced, feature rich but very confusing firewall. lol lil off topic but explains why I am using pfSense to begin with. Thanks
-
There is really two maybe four solution to the problem of what you want to do. I will list them from best to worst:
1. Put your ISP's router into bridge mode.
2. Put your pfsense firewall into the dmz of your ISP router
3. Setup port forwarding on both ISP and pfsense router
4. Setup a pass through port on pfsense routerWith option 2 you would still need to use port forwarding or UPNP on pfsense.
With option 4, that would require setting up a bridge between your wan port and a free port on your pfsense if it is available. I have seen some consumer grade equipment with that feature.
Me personally I would use option 1, if that is not possible go with option 2. Who is your ISP?
-
Some small company named Acadiana Broadband that handles about 6 small towns in this area. They use ubiquiti dishs that point to the local water tower and is the only ISP i have ever encountered that gives you a NATed private address. I have tried to contact them asking to open ports or allow UPnP but they will never get back to be about that so I had to take matteres into my own hands. I was ready to give up on tring to host services when I found pfSense and saw i could choose different interfaces(other than WAN) to forward ports so now I have a windows 10 PC running pfSense in a hyper-V with 3 NICs and also host a bunch of different servers from (PlayOn, Softether VPN, printer server, file server etc) so I just leave it running all the time going to a managed 24 port gigabit switch then all throughout the house. But the Xboxs are the one thing I particularily treasure because its the way I relate with my 5 kids. They love all sitting in their rooms with a headset on playing xbox with all us. How would I go about setting up a passthrough port? Would it be just as effective to have a decent (not to cheap) switch before the internet comes into pfsense and just run my xboxs an extra cable in every bedroom. Thats originally what I was wondering if pfSense could be made to "pass-through" just the xboxs based on MAC through the same LAN port but that must not be possible huh?
-
You would have to set-up VLAN, therefore ensure that switch behind pfSense does support VLAN too.
For what I understand, Xbox directly attached to your ISP router should work (and if it works, go for this design) but if you have any other service listening behind pfSense, as you can't configure ISP router to redirect ports, you have to decide whenever this is Xbox or pfSense.
Do I understand it right? -
Put a switch into the ethernet port provided by my ISP. Connect Xbox-es to that switch directly.
Also connect pfSense's WAN port to that switch. Connect a second switch to pfSense's LAN port. Connect the rest of the clients to the second switch.
You need to run all the cables from all the devices in the rooms one by one to the location where these switches are.
If you have only one single cable to each room, and you use local switches in each room to split the network to multiple devices, you're in trouble.
You either lay new cables, or you buy lots of small VLAN-capable switches everywhere.For a VLAN-ed setup, you need this:
- a master (core) VLAN-capable switch at the place where the ethernet port provided by my ISP comes in.
- smaller VLAN capable switches everywhere else
- in each switch, create two VLAN, say VLAN 10 and VLAN 20
- in the core switch, assign both VLANs as tagged, to ports going to the other smaller switches
- on the other switches, assign both VLANs as tagged, to the port which connects to the core switch
- in the core switch assign VLAN 10 to at least 2 ports, one for the ISP cable and one for pfSense's WAN port (yes, VLAN10 will carry the ISP's 192. 168.x.x network)
- in the other switches assign VLAN 10 to the port going to XBOX.
- in the core switch assign VLAN 20 to at least 1 port, and connect pfSense's LAN here (and this way VLAN 20 will carry your pfSense's LAN network)
- in the other switches assign VLAN 20 to the other ports for devices which are not XBOXes.
Example of VLAN-capable small switch (gigabit, 5-ports): http://www.tp-link.com/lb/products/details/cat-41_TL-SG105E.html
Example of VLAN-capable bigger switch (same as above but 16 ports): http://www.tp-link.com/lb/products/details/cat-41_TL-SG1016DE.html
These are cheap, but smarter series are http://www.tp-link.com/lb/products/details/cat-40_TL-SG2008.html and http://www.tp-link.com/lb/products/details/cat-40_TL-SG2216.html respectively.Good luck!
